Analysis Overview
SHA256
2fcac593d546c7851019d63e14ef52efea39b47889f48c52442ab08bb6bab641
Threat Level: Known bad
The file 2fcac593d546c7851019d63e14ef52efea39b47889f48c52442ab08bb6bab641 was found to be: Known bad.
Malicious Activity Summary
Nullmixer family
RedLine
CryptBot
SectopRAT
PrivateLoader
Vidar family
Redline family
Cryptbot family
RedLine payload
SectopRAT payload
CryptBot payload
NullMixer
Sectoprat family
Vidar
Privateloader family
Vidar Stealer
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
ASPack v2.12-2.42
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
System Network Configuration Discovery: Internet Connection Discovery
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies system certificate store
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:51
Reported
2024-11-08 12:53
Platform
win7-20240903-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e4dca2c59.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon143ed856f0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e4dca2c59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon144f46009e1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14a7d41591ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon144f46009e1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon144f46009e1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon144f46009e1.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon145f939d24aeccc69.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14f917178c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon143ed856f0e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1401e12caa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e0a9aa9bfa5640e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14be39fec004ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144f46009e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon143ed856f0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14a7d41591ad.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f917178c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e4dca2c59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e0a9aa9bfa5640e.exe
Mon14e0a9aa9bfa5640e.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon1401e12caa6.exe
Mon1401e12caa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14f917178c.exe
Mon14f917178c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon144f46009e1.exe
Mon144f46009e1.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon145f939d24aeccc69.exe
Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14a7d41591ad.exe
Mon14a7d41591ad.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e4dca2c59.exe
Mon14e4dca2c59.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon143ed856f0e.exe
Mon143ed856f0e.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14be39fec004ab.exe
Mon14be39fec004ab.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 272
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon1401e12caa6.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon1401e12caa6.exe" -a
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14be39fec004ab.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14be39fec004ab.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping XPAJOTIY -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 948
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:49277 | tcp | |
| N/A | 127.0.0.1:49279 | tcp | |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| SG | 37.0.10.244:80 | tcp | |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.237:80 | 37.0.10.237 | tcp |
| SG | 37.0.10.237:443 | tcp | |
| SG | 37.0.10.237:443 | tcp | |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 5c237194ef77ef5ec6cbadf16c76ca03 |
| SHA1 | d51ef81b1050400235cee016669d8af8d7b3ea19 |
| SHA256 | 18f543d16c0ba0a594d2c2af6c605ddb0220cfdb09a5e06d5c761be52ac104f6 |
| SHA512 | 6cc54912f11b9c73c0f4417ab4429501692b6c4281e4a81af6a261d370d97ac4dd5efd7df1ea3c7bb07f3863644943a35dad9f5fcaf5d14634f4e34dfff21a70 |
\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\setup_install.exe
| MD5 | 8378337deebf667a606b87904c5640f5 |
| SHA1 | 9b9414be387aa5517e4b0cddc1744a3b1eee6a14 |
| SHA256 | 21a3177d4f299282b98eb9ae30b4e27b508354a5bf36da1fecac8b402ee2c52c |
| SHA512 | aaffd3b6e63dfc80ebff7d0d7c0888db795cf5e332b0f58cef17f3333e8500c2afc2962303d7ca30008644f2bc6106a0c9be45961433820a12869d024d330ed3 |
\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2876-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2876-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2876-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2876-77-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2876-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14a7d41591ad.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
memory/2876-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon1401e12caa6.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon144f46009e1.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
memory/2876-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e4dca2c59.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14f917178c.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon143ed856f0e.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14be39fec004ab.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
memory/2876-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2876-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2876-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon14e0a9aa9bfa5640e.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
memory/2876-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8E5F79B6\Mon145f939d24aeccc69.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
memory/2876-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/300-123-0x0000000000880000-0x0000000000888000-memory.dmp
memory/2868-124-0x0000000000300000-0x000000000032C000-memory.dmp
memory/2868-169-0x00000000002C0000-0x00000000002E2000-memory.dmp
memory/1564-168-0x0000000002DD0000-0x0000000002DF2000-memory.dmp
memory/1564-170-0x0000000002E20000-0x0000000002E40000-memory.dmp
memory/2876-183-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2876-178-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2876-185-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2876-184-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2876-181-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2876-177-0x0000000000400000-0x000000000051B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC0F1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC113.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2940-240-0x0000000000400000-0x0000000002402000-memory.dmp
memory/1468-239-0x0000000000400000-0x00000000023AE000-memory.dmp
memory/1564-241-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/2664-245-0x0000000000190000-0x0000000000290000-memory.dmp
memory/2664-244-0x0000000000190000-0x0000000000290000-memory.dmp
memory/2664-243-0x0000000000190000-0x0000000000290000-memory.dmp
memory/1276-250-0x0000000005C30000-0x0000000005CD3000-memory.dmp
memory/1276-249-0x0000000005C30000-0x0000000005CD3000-memory.dmp
memory/1276-251-0x0000000005C30000-0x0000000005CD3000-memory.dmp
memory/1276-252-0x0000000005C30000-0x0000000005CD3000-memory.dmp
memory/1276-256-0x0000000005C30000-0x0000000005CD3000-memory.dmp
memory/1276-255-0x0000000005C30000-0x0000000005CD3000-memory.dmp
memory/1276-254-0x0000000005C30000-0x0000000005CD3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KXTdlMY\_Files\_Information.txt
| MD5 | 6853c12069f81d7c91ff0c3fd64850c2 |
| SHA1 | f92890f7a77f1d0e9b96119241517986b601ac0b |
| SHA256 | 2471e4a8034cc913a332317167ab37fb2dd013830581201156666bda0ab1bb5f |
| SHA512 | 02d560c7354786c1cc4e4ca754973fe5366531346463e2fc131cb37dd0095d98d0983d0d4fd8dde4276e8157b5edd6d725cfa84fedffbf0df4188992b0434a04 |
C:\Users\Admin\AppData\Local\Temp\KXTdlMY\_Files\_Information.txt
| MD5 | 8423176b40e739945a3036f135b64794 |
| SHA1 | 32427ac3d9e7435190645d1ff94eb465956cb75e |
| SHA256 | c204f5b9de00274373c98c8c3f93a4ce6b78e16f2defc65189a9c8e4f4651c7c |
| SHA512 | 4079c2ad4eab31896f28c073b4c1a17bb05b669e669373982131d51fb53004157ba6a150e32b0765e9b76eb1589983fc2338e9675221b69e3cc06f4ab042f4be |
C:\Users\Admin\AppData\Local\Temp\KXTdlMY\files_\system_info.txt
| MD5 | f590d6a943ee63e03bbc3774ed9e3429 |
| SHA1 | d96137e7f298d80e353ae01ab71c396e003b8d4f |
| SHA256 | 17fc570caa59149ba55c545c2d08aa06d4adf3e7456d6b0e9e319ea5b19df27c |
| SHA512 | f93c59c347782c5869b9f3426ef97149c998d1c6e005863288420df6a4fb2762cedd86d5e3ce2cd8987edfe85b8878559171170bc0bc9969cddf4e49eae407a3 |
C:\Users\Admin\AppData\Local\Temp\KXTdlMY\files_\system_info.txt
| MD5 | 178ed5bee36900b6e485fc3b6aa5fd78 |
| SHA1 | eaa6bcf5a39a8f4376045dbb110c1f948c3f9d26 |
| SHA256 | b249837d080e5000b6413320f63c2acb6dc8d9a43f80329e6305b34285a16d59 |
| SHA512 | 5d65e28f98729c7befd213c159ca30045aa194684165519cbd998a39297cc7c8dff85214bcdc0a8bcb3ebc1bca581bebbc55145e40f8a19fc39fb5abe7db0dd8 |
C:\Users\Admin\AppData\Local\Temp\KXTdlMY\_Files\_Screen_Desktop.jpeg
| MD5 | b3516a0ebc38b32a187e90ef52aed729 |
| SHA1 | de54c2aca7d91912a967ea605257fbca68fdbf63 |
| SHA256 | c6375f8912bde7ee58e4e780a10d800fd62e3f06ead284475c2eb16ed589c439 |
| SHA512 | 7bc5f88622e62524bd2adaa234a8dd07d9c82fdf2dcc6ec9d6a5d2aee4c4c4360d65ca3388585c188324f61b341dac8c936b013054385e4eae4136d04b088e7e |
C:\Users\Admin\AppData\Local\Temp\KXTdlMY\3vydHHGG1n.zip
| MD5 | 6a39f9ea2b5a20403d33858b21b67ae4 |
| SHA1 | a3bf599150ad4a04c1711843840d1d900910a9ce |
| SHA256 | c627a7b0753526584c636e9068f0fd4fb756f4e17a2deb864a7ba1f2282e6988 |
| SHA512 | c5325fe133b8cb6c55f1752efe178687395546d71cd762aba7cc6fd6badf1ac8c47e7c7fcd812d01f0c50ea37fec385f67e418a756d7eccddd07f51fd0d9ae19 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:51
Reported
2024-11-08 12:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e4dca2c59.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14a7d41591ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e4dca2c59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon143ed856f0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon144f46009e1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e0a9aa9bfa5640e.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon145f939d24aeccc69.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14f917178c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon143ed856f0e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1401e12caa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e0a9aa9bfa5640e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14be39fec004ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144f46009e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon143ed856f0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14a7d41591ad.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f917178c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e4dca2c59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14be39fec004ab.exe
Mon14be39fec004ab.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14f917178c.exe
Mon14f917178c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon145f939d24aeccc69.exe
Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe
Mon1401e12caa6.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon143ed856f0e.exe
Mon143ed856f0e.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14a7d41591ad.exe
Mon14a7d41591ad.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e4dca2c59.exe
Mon14e4dca2c59.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2844 -ip 2844
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e0a9aa9bfa5640e.exe
Mon14e0a9aa9bfa5640e.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon144f46009e1.exe
Mon144f46009e1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 564
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3704 -ip 3704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 360
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe" -a
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping ZTSLLRFH -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1576
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 229.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| N/A | 127.0.0.1:54159 | tcp | |
| N/A | 127.0.0.1:54161 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.237:80 | 37.0.10.237 | tcp |
| SG | 37.0.10.237:443 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 5c237194ef77ef5ec6cbadf16c76ca03 |
| SHA1 | d51ef81b1050400235cee016669d8af8d7b3ea19 |
| SHA256 | 18f543d16c0ba0a594d2c2af6c605ddb0220cfdb09a5e06d5c761be52ac104f6 |
| SHA512 | 6cc54912f11b9c73c0f4417ab4429501692b6c4281e4a81af6a261d370d97ac4dd5efd7df1ea3c7bb07f3863644943a35dad9f5fcaf5d14634f4e34dfff21a70 |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\setup_install.exe
| MD5 | 8378337deebf667a606b87904c5640f5 |
| SHA1 | 9b9414be387aa5517e4b0cddc1744a3b1eee6a14 |
| SHA256 | 21a3177d4f299282b98eb9ae30b4e27b508354a5bf36da1fecac8b402ee2c52c |
| SHA512 | aaffd3b6e63dfc80ebff7d0d7c0888db795cf5e332b0f58cef17f3333e8500c2afc2962303d7ca30008644f2bc6106a0c9be45961433820a12869d024d330ed3 |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2844-62-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2844-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon145f939d24aeccc69.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14be39fec004ab.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14f917178c.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon143ed856f0e.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon144f46009e1.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e0a9aa9bfa5640e.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
memory/3604-98-0x000000001B6E0000-0x000000001B702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14a7d41591ad.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon14e4dca2c59.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
memory/4356-107-0x00000000009E0000-0x0000000000A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\Mon1401e12caa6.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/4356-108-0x0000000004E50000-0x0000000005478000-memory.dmp
memory/3604-90-0x0000000000C50000-0x0000000000C7C000-memory.dmp
memory/2180-89-0x0000000000E50000-0x0000000000E58000-memory.dmp
memory/2844-80-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2844-78-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2844-77-0x0000000000EE0000-0x0000000000F6F000-memory.dmp
memory/2844-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2844-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2844-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8C10EAB7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4356-111-0x0000000005480000-0x00000000054E6000-memory.dmp
memory/4356-110-0x0000000004DE0000-0x0000000004E46000-memory.dmp
memory/4356-109-0x0000000004C40000-0x0000000004C62000-memory.dmp
memory/4356-118-0x00000000054F0000-0x0000000005844000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbqrk23n.tuk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2844-129-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2844-132-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2844-131-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2844-130-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2844-127-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2844-123-0x0000000000400000-0x000000000051B000-memory.dmp
memory/3704-133-0x0000000000400000-0x00000000023AE000-memory.dmp
memory/4356-136-0x0000000005B40000-0x0000000005B8C000-memory.dmp
memory/4356-135-0x0000000005B10000-0x0000000005B2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensavo.wmz
| MD5 | 3928f9cc043cfb53823761dac703fd04 |
| SHA1 | c825e75ae21b995996763487de07176230c2535e |
| SHA256 | c2d4ebb0b7be8eb8683cc1fdcd0b95c834888c56d555e6d23497ae211835f412 |
| SHA512 | 8739619195c9d1409819822ae3c53415ac57a1c485b6947022d81981c9a0c7811ea5a30af0ef32e0a34aacf589f74366866dc1e7e03cd4addf56b71b6b25d9c5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.wmz
| MD5 | a1ac3489d2401d26e3aea9bcb0a85b10 |
| SHA1 | 6a4c4004ef746ed16d25c3fe425a6c78fcefe9b4 |
| SHA256 | 1cb9452373f7b755b1c64b41bd7ffcfe4fe0ab92fd08c61c283c5deccfd89146 |
| SHA512 | 293a84faadb89219945fde5836786cbcf4bdcaf36638603a5e95e80df4f5daf0b180d1f768deecee77b828ef736a337925479c37ae1e1f7126934f80be7b5e2e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4356-152-0x0000000075300000-0x000000007534C000-memory.dmp
memory/4356-163-0x0000000006B90000-0x0000000006C33000-memory.dmp
memory/4356-151-0x00000000060F0000-0x0000000006122000-memory.dmp
memory/4356-162-0x0000000006090000-0x00000000060AE000-memory.dmp
memory/4356-167-0x0000000006C40000-0x0000000006C5A000-memory.dmp
memory/4356-166-0x00000000075D0000-0x0000000007C4A000-memory.dmp
memory/4356-174-0x0000000006CB0000-0x0000000006CBA000-memory.dmp
memory/4356-175-0x0000000007130000-0x00000000071C6000-memory.dmp
memory/4356-176-0x0000000006CF0000-0x0000000006D01000-memory.dmp
memory/5072-177-0x0000000000400000-0x0000000002402000-memory.dmp
memory/4544-178-0x0000000004BB0000-0x0000000004BD2000-memory.dmp
memory/4356-179-0x0000000006D20000-0x0000000006D2E000-memory.dmp
memory/4544-180-0x00000000074B0000-0x0000000007A54000-memory.dmp
memory/4544-181-0x0000000004C40000-0x0000000004C60000-memory.dmp
memory/4356-182-0x0000000007090000-0x00000000070A4000-memory.dmp
memory/4544-184-0x0000000007A60000-0x0000000008078000-memory.dmp
memory/4356-183-0x00000000070D0000-0x00000000070EA000-memory.dmp
memory/4544-185-0x0000000004E30000-0x0000000004E42000-memory.dmp
memory/4356-186-0x00000000070C0000-0x00000000070C8000-memory.dmp
memory/4544-187-0x0000000007360000-0x000000000739C000-memory.dmp
memory/4544-190-0x0000000008110000-0x000000000821A000-memory.dmp
memory/4544-191-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/3148-192-0x0000000077140000-0x00000000771B5000-memory.dmp
memory/3744-193-0x0000000000EA0000-0x0000000000EFA000-memory.dmp
memory/4112-201-0x0000000005FD0000-0x0000000006073000-memory.dmp
memory/4112-202-0x0000000005FD0000-0x0000000006073000-memory.dmp
memory/4112-203-0x0000000005FD0000-0x0000000006073000-memory.dmp
memory/4112-204-0x0000000005FD0000-0x0000000006073000-memory.dmp
memory/4112-205-0x0000000005FD0000-0x0000000006073000-memory.dmp
memory/4112-206-0x0000000005FD0000-0x0000000006073000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NFqikPOpan\_Files\_Information.txt
| MD5 | 7d7befc5feb97775126e833296240b75 |
| SHA1 | 6c8c17a4677fcbeb92062b19bee69eedefa6c2c6 |
| SHA256 | 2d32df2a7ffad76120a385f04567176a79966378fb81ef99290966e283b23f0b |
| SHA512 | f74c2068828051f336a6c792b9094fe4901b38931349a606bdd00999e01866f8eb44891b53fa5cfcb3f5f175f07cc927559f2d138aebb4a6cc2cd3d72037b007 |
C:\Users\Admin\AppData\Local\Temp\NFqikPOpan\_Files\_Information.txt
| MD5 | 9854ac27cd8a963dacbd077d6acb5144 |
| SHA1 | 920fdf77b15a6afe1aa4cbc27df8bec126e993d5 |
| SHA256 | 36a7ed95801b0b46275e22622955f4f2ed588fad95520fc0aa8850608880efbd |
| SHA512 | 84b4782fe6cb229945f6ef9656a1bef1f7071448da2c86e2768ac29d922c48bb99d5a84782b5cbd2c90101030dc08d6fa6bbeb23969000fa39565289a6db57a6 |
C:\Users\Admin\AppData\Local\Temp\NFqikPOpan\_Files\_Information.txt
| MD5 | d9517946d81d6636e68c6e4354ebd195 |
| SHA1 | cb0f9ecd5ac9e69b31a4691fb5d238fb3c8790ac |
| SHA256 | a9aec2e8ccf4ccd8fdb44ea332c17108f78f1f94d3dce469a832e3499adfe846 |
| SHA512 | 09d3f9f50f9b99071dd9f165e253ba6b5bece1e6617c032e03d08acc5903dd410a1c6ec8b83ea59b75592a798bd6f351494e73ab3f84eee43046004e56420386 |
C:\Users\Admin\AppData\Local\Temp\NFqikPOpan\_Files\_Screen_Desktop.jpeg
| MD5 | 1bb8b58da8fc226ca327564df7c5f840 |
| SHA1 | 144eb601ba756548c70776a78b97d4993705f1c4 |
| SHA256 | 6825725c287845ac004e53d7410c457f4b92a2439268fe2256e59ce37cdea9f3 |
| SHA512 | 12471cc32f14cb92a941d8191fd63f4b8ac4f5ea4501b73c2f2b8de0359d84c5d8c9b81cfe014121d1df98fce2faffcfb9a9bdcced300aa79f5b2a18d0102fbf |
C:\Users\Admin\AppData\Local\Temp\NFqikPOpan\files_\system_info.txt
| MD5 | d3d4fb4eefe52004daf1a0e8004bd0da |
| SHA1 | d9fae417c1de79868ed98c968200384c5d9328d4 |
| SHA256 | 76d7f8cb44c5563ac27023d055396bd1b7457a2d10e2c0dd3b7758231c487223 |
| SHA512 | a8a8d9e4ac57e6a6be81ffd5acd25455342eca5f7e723618fa959d2e61e5cdf4f5cae4d0edeb60f46de9182633a38fec85317debc6a4da7771660e425da33350 |
C:\Users\Admin\AppData\Local\Temp\NFqikPOpan\gjSk5EhPgY.zip
| MD5 | 16f9e12df598257bb34837bb30ef7a2a |
| SHA1 | 814bbb4201952073b168d8dea2e2d8a8b9714544 |
| SHA256 | c895d80b484e56586204e694c3b9aebd9b5b3bab82d0c3d5f7a4bca8e5bb4fd6 |
| SHA512 | 9f9b968dfbdf52b8580dbae815eea2b28caa3b40c60b87b861da19f0e37b3c907966f6306532768241c2f2d61ae3850332300d622275c8fe290231bf157ec944 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 12:51
Reported
2024-11-08 12:54
Platform
win7-20241010-en
Max time kernel
40s
Max time network
156s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e4dca2c59.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e4dca2c59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon143ed856f0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon144f46009e1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14a7d41591ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon144f46009e1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon144f46009e1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon144f46009e1.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon145f939d24aeccc69.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14f917178c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon143ed856f0e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1401e12caa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e0a9aa9bfa5640e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14be39fec004ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144f46009e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon143ed856f0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14a7d41591ad.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f917178c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e4dca2c59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14f917178c.exe
Mon14f917178c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon145f939d24aeccc69.exe
Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon143ed856f0e.exe
Mon143ed856f0e.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon1401e12caa6.exe
Mon1401e12caa6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14be39fec004ab.exe
Mon14be39fec004ab.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon1401e12caa6.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon1401e12caa6.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14be39fec004ab.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14be39fec004ab.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon144f46009e1.exe
Mon144f46009e1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e0a9aa9bfa5640e.exe
Mon14e0a9aa9bfa5640e.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14a7d41591ad.exe
Mon14a7d41591ad.exe
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e4dca2c59.exe
Mon14e4dca2c59.exe
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 436
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping BCXRJFKE -n 30
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 276
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 976
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| N/A | 127.0.0.1:49282 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| SG | 37.0.10.244:80 | tcp | |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.237:80 | 37.0.10.237 | tcp |
| SG | 37.0.10.237:443 | tcp | |
| SG | 37.0.10.237:443 | tcp | |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC3806EE7\setup_install.exe
| MD5 | 8378337deebf667a606b87904c5640f5 |
| SHA1 | 9b9414be387aa5517e4b0cddc1744a3b1eee6a14 |
| SHA256 | 21a3177d4f299282b98eb9ae30b4e27b508354a5bf36da1fecac8b402ee2c52c |
| SHA512 | aaffd3b6e63dfc80ebff7d0d7c0888db795cf5e332b0f58cef17f3333e8500c2afc2962303d7ca30008644f2bc6106a0c9be45961433820a12869d024d330ed3 |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2872-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2872-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC3806EE7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zSC3806EE7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2872-61-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2872-60-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2872-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e4dca2c59.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14e0a9aa9bfa5640e.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon145f939d24aeccc69.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon143ed856f0e.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14be39fec004ab.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon144f46009e1.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon1401e12caa6.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14a7d41591ad.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zSC3806EE7\Mon14f917178c.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
memory/2404-164-0x0000000001230000-0x000000000125C000-memory.dmp
memory/1756-163-0x0000000000280000-0x0000000000288000-memory.dmp
memory/2872-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2872-69-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2872-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2872-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2872-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2872-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2872-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2872-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2872-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2508-171-0x0000000000350000-0x0000000000372000-memory.dmp
memory/2404-172-0x0000000000140000-0x0000000000162000-memory.dmp
memory/2508-173-0x0000000002EA0000-0x0000000002EC0000-memory.dmp
memory/2196-181-0x0000000000400000-0x00000000023AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarEC47.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\CabEA70.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2872-228-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2872-234-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2872-232-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2872-231-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2872-229-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2872-233-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2508-235-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/676-236-0x0000000000400000-0x0000000002402000-memory.dmp
memory/2872-246-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2872-245-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2872-244-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2872-243-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2872-241-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2872-240-0x0000000000400000-0x000000000051B000-memory.dmp
memory/932-254-0x0000000005AA0000-0x0000000005B43000-memory.dmp
memory/932-255-0x0000000005AA0000-0x0000000005B43000-memory.dmp
memory/932-256-0x0000000005AA0000-0x0000000005B43000-memory.dmp
memory/932-257-0x0000000005AA0000-0x0000000005B43000-memory.dmp
memory/932-259-0x0000000005AA0000-0x0000000005B43000-memory.dmp
memory/932-261-0x0000000005AA0000-0x0000000005B43000-memory.dmp
memory/932-260-0x0000000005AA0000-0x0000000005B43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\_Files\_Information.txt
| MD5 | 20942daec4b47bef9c3d7eb383f5a704 |
| SHA1 | 3a5e8c753b93d7aae9e0063d4949ce1e5077f08a |
| SHA256 | ce3d6039d0e7b8029d3b78a99a1c2d072f9e4f5eb61fd2b7e0e5763634ca4e87 |
| SHA512 | 1a5a92207e3f517b0b5116de74a3600ef2588767e3fe3c4b5e6bc6d153520e4d7d818b4202774569c3022afd19f515ee6202635b06cd5d64bddbbd55ce924bd5 |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\_Files\_Information.txt
| MD5 | 921894ff9d4c50d57eb141c5077f8827 |
| SHA1 | d191427bdb127b5f08e307c004b4f487e2dec6da |
| SHA256 | c8c6e1f1b40517d3a869a403d77657b0c7156ad67b0e1aa99a2a28fd0c6dcbbd |
| SHA512 | 1cd1e7e3ffa36108075e485c7b77000fec9702d1fafbcddc85e4759f9e6ecf71a4dab7acb162e7a5611323e9fdbcc3949efb5df1e85db6c3caed21bf8a52caa3 |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\files_\system_info.txt
| MD5 | 496ea2cba3f1617528153402025e9e82 |
| SHA1 | 35808491a2359abd39634081efdf1ace65207597 |
| SHA256 | f51fbece30323f1c7209c3b612ee98f0834fec0596ffb3777b18787bc790e759 |
| SHA512 | 1a7c6af1b80ea8bcc0a87e47a4ed47b027432130cd624b01a43581ba5457c2371ecfd75887ac4377a8d0b33fba9c949275d5757209bab99bfded18150a7d2716 |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\files_\system_info.txt
| MD5 | 453145f41ff1363a061da51fe76067e0 |
| SHA1 | d53c078dbfaf13235963d7b6a51b5952cae754b1 |
| SHA256 | 5649be4205a3cdc14cc6079a66609c8158f777453ecdd9f78cff00dc86c261e1 |
| SHA512 | 5fc6a9857145848ce64e042a0be42676e460425e2dc066d46d669cc8b216e995c73d6ffb4111a9f4536703994ef3fefcafc9ece239cb07083030b5a9ac1b47e3 |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\files_\system_info.txt
| MD5 | 3170fcf85e85c475c1ada4890435755b |
| SHA1 | 91ff3851f36283a18050aba9a7008801f61d7654 |
| SHA256 | b3dc43264ff70760f891ec264d4e05fad46d32c702e478b11c7e7a4ac23b4820 |
| SHA512 | 2c0f1b6a388d016d96e43e0e142b48f4a371b002b4326352fc63d8f0dc528ce488791ebf0476db48c4eee928ccf599b320199b77cb2c2a00f450dc941aec2aea |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\files_\system_info.txt
| MD5 | e3e5cb237943c54170d3a039e313c015 |
| SHA1 | 9090119ce09ca2b14cccd156a37de42b6dad0f5b |
| SHA256 | 1ddb1685c614b54d3ec5e07e7cd0d9a1e0f98c629ccbd136d8822d0feeba0004 |
| SHA512 | 7cd593bded8d8adb9cf53347a60c9cca38c32d518edbfc87155797ff50773a080fd0ea98d7b45eddec858564c99f978783f11d82b638e88641f221a040b749b5 |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\_Files\_Screen_Desktop.jpeg
| MD5 | 50b72dd989a629e38c3b27e859e517f5 |
| SHA1 | a2939ff0501ccde0f89e6aeaa6e2cffa0dc0b2bc |
| SHA256 | 4b0dfe97d653618cd1f1d205aa72da1058a43b8b3bd65dbcbd411c4ca4a262ee |
| SHA512 | feb18d53d720d717b8e87aca82609462d1e69d63b38cfa7c4995fa8db3abd430d2fb0fd0bdd96c5fd21af120b8ebcea4e5835e473a211a66242cfce686664f37 |
C:\Users\Admin\AppData\Local\Temp\WRoXoQgoiTl\3k12fwmHiHKb.zip
| MD5 | 1320d2fa7072f405ac6a1462c3058d5e |
| SHA1 | bec6537134686c1d7c1eb5813accc8c926d1e760 |
| SHA256 | 2ab01436facee564c9c7b8f8fc187ecd14e657847ba4a420b102dc8baa919a95 |
| SHA512 | 5e89216aa725bac0d2e5e09ae09fb165e103ed00cafaf0af00f68cf9d2efc3aa089e7ced32ab44a5d3271302c3653118b7e0f5d87656d436f9b12621c31bd93e |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 12:51
Reported
2024-11-08 12:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e4dca2c59.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e4dca2c59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon144f46009e1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14a7d41591ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon143ed856f0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e0a9aa9bfa5640e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e0a9aa9bfa5640e.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon145f939d24aeccc69.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14f917178c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon143ed856f0e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1401e12caa6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e0a9aa9bfa5640e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14be39fec004ab.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144f46009e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon143ed856f0e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14a7d41591ad.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f917178c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14e4dca2c59.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon145f939d24aeccc69.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1908 -ip 1908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 564
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon144f46009e1.exe
Mon144f46009e1.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e0a9aa9bfa5640e.exe
Mon14e0a9aa9bfa5640e.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14be39fec004ab.exe
Mon14be39fec004ab.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon143ed856f0e.exe
Mon143ed856f0e.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14f917178c.exe
Mon14f917178c.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon145f939d24aeccc69.exe
Mon145f939d24aeccc69.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14a7d41591ad.exe
Mon14a7d41591ad.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe
Mon1401e12caa6.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e4dca2c59.exe
Mon14e4dca2c59.exe
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3880 -ip 3880
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 360
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe" -a
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping HGNBWBGW -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1548 -ip 1548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1760
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| N/A | 127.0.0.1:56564 | tcp | |
| N/A | 127.0.0.1:56566 | tcp | |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.237:80 | 37.0.10.237 | tcp |
| SG | 37.0.10.237:443 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.10.0.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| CN | 114.55.25.226:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\setup_install.exe
| MD5 | 8378337deebf667a606b87904c5640f5 |
| SHA1 | 9b9414be387aa5517e4b0cddc1744a3b1eee6a14 |
| SHA256 | 21a3177d4f299282b98eb9ae30b4e27b508354a5bf36da1fecac8b402ee2c52c |
| SHA512 | aaffd3b6e63dfc80ebff7d0d7c0888db795cf5e332b0f58cef17f3333e8500c2afc2962303d7ca30008644f2bc6106a0c9be45961433820a12869d024d330ed3 |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1908-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1908-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1908-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1908-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1908-54-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1908-53-0x000000006494A000-0x000000006494F000-memory.dmp
memory/1908-52-0x0000000000D70000-0x0000000000DFF000-memory.dmp
memory/1908-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1908-50-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/1908-64-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon143ed856f0e.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon145f939d24aeccc69.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e4dca2c59.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14f917178c.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14a7d41591ad.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon144f46009e1.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14be39fec004ab.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon1401e12caa6.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/1908-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1908-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EDA1DF7\Mon14e0a9aa9bfa5640e.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
memory/1908-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1908-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1908-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2300-83-0x0000000000150000-0x0000000000158000-memory.dmp
memory/2032-86-0x00000000007A0000-0x00000000007CC000-memory.dmp
memory/1964-88-0x0000000000D30000-0x0000000000D66000-memory.dmp
memory/2032-89-0x0000000000F60000-0x0000000000F82000-memory.dmp
memory/1964-90-0x0000000004E60000-0x0000000005488000-memory.dmp
memory/1964-104-0x0000000005490000-0x00000000054F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_53jt35nv.lgk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1964-100-0x0000000004DD0000-0x0000000004E36000-memory.dmp
memory/1964-97-0x0000000004CB0000-0x0000000004CD2000-memory.dmp
memory/1964-109-0x0000000005600000-0x0000000005954000-memory.dmp
memory/1908-119-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1908-118-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1908-117-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1908-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mummia.wmz
| MD5 | 6f6fe96279c933c2170e75f49cf43718 |
| SHA1 | bbe211eaebbeb120b9ca3cd204aacbbeef20cb7e |
| SHA256 | e6919da4e2658c82ebbcca670053d77e1231a5a600bf5aeaba71e5852e09022f |
| SHA512 | 76160b79d3cbe2fca6d95b096043641a96b13007f287f8e55b94eab16cbb98691a8e8fa8d035da434e84f689bb8d36478f632976481b56c7170889553a629748 |
memory/1908-114-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1908-110-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1964-122-0x0000000005B10000-0x0000000005B5C000-memory.dmp
memory/1964-121-0x0000000005AF0000-0x0000000005B0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensavo.wmz
| MD5 | 3928f9cc043cfb53823761dac703fd04 |
| SHA1 | c825e75ae21b995996763487de07176230c2535e |
| SHA256 | c2d4ebb0b7be8eb8683cc1fdcd0b95c834888c56d555e6d23497ae211835f412 |
| SHA512 | 8739619195c9d1409819822ae3c53415ac57a1c485b6947022d81981c9a0c7811ea5a30af0ef32e0a34aacf589f74366866dc1e7e03cd4addf56b71b6b25d9c5 |
memory/3880-126-0x0000000000400000-0x00000000023AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.wmz
| MD5 | a1ac3489d2401d26e3aea9bcb0a85b10 |
| SHA1 | 6a4c4004ef746ed16d25c3fe425a6c78fcefe9b4 |
| SHA256 | 1cb9452373f7b755b1c64b41bd7ffcfe4fe0ab92fd08c61c283c5deccfd89146 |
| SHA512 | 293a84faadb89219945fde5836786cbcf4bdcaf36638603a5e95e80df4f5daf0b180d1f768deecee77b828ef736a337925479c37ae1e1f7126934f80be7b5e2e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1964-136-0x00000000060A0000-0x00000000060D2000-memory.dmp
memory/1964-137-0x0000000074820000-0x000000007486C000-memory.dmp
memory/1964-147-0x00000000060E0000-0x00000000060FE000-memory.dmp
memory/1964-148-0x0000000006CB0000-0x0000000006D53000-memory.dmp
memory/1964-156-0x0000000006E10000-0x0000000006E2A000-memory.dmp
memory/1964-155-0x0000000007450000-0x0000000007ACA000-memory.dmp
memory/1964-158-0x0000000006E90000-0x0000000006E9A000-memory.dmp
memory/1964-162-0x0000000007080000-0x0000000007116000-memory.dmp
memory/1964-163-0x0000000007010000-0x0000000007021000-memory.dmp
memory/1964-164-0x0000000007040000-0x000000000704E000-memory.dmp
memory/1964-166-0x0000000007050000-0x0000000007064000-memory.dmp
memory/1548-165-0x0000000000400000-0x0000000002402000-memory.dmp
memory/1964-167-0x0000000007140000-0x000000000715A000-memory.dmp
memory/4692-168-0x0000000004C40000-0x0000000004C62000-memory.dmp
memory/1964-169-0x0000000007130000-0x0000000007138000-memory.dmp
memory/4692-171-0x0000000004CE0000-0x0000000004D00000-memory.dmp
memory/4692-170-0x0000000007480000-0x0000000007A24000-memory.dmp
memory/4692-174-0x0000000007A30000-0x0000000008048000-memory.dmp
memory/4692-175-0x0000000007310000-0x0000000007322000-memory.dmp
memory/4692-176-0x0000000007330000-0x000000000736C000-memory.dmp
memory/4692-177-0x0000000007390000-0x00000000073DC000-memory.dmp
memory/4692-178-0x0000000008100000-0x000000000820A000-memory.dmp
memory/4692-179-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/1028-191-0x0000000001E00000-0x0000000001EA3000-memory.dmp
memory/1028-192-0x0000000001E00000-0x0000000001EA3000-memory.dmp
memory/1028-193-0x0000000001E00000-0x0000000001EA3000-memory.dmp
memory/1028-194-0x0000000001E00000-0x0000000001EA3000-memory.dmp
memory/1028-195-0x0000000001E00000-0x0000000001EA3000-memory.dmp
memory/1028-196-0x0000000001E00000-0x0000000001EA3000-memory.dmp